<!DOCTYPE html>
<html lang="en" country="us">
<head>

<style>.async-hide {
            opacity: 0 !important
        } </style>
<script data-cfasync="false">if (!window.location.hostname.match(/marketodesigner/i)) {
            (function (a, s, y, n, c, h, i, d, e) {
                s.className += ' ' + y;
                h.start = 1 * new Date;
                h.end = i = function () {
                    s.className = s.className.replace(RegExp(' ?' + y), '')
                };
                (a[n] = a[n] || []).hide = h;
                setTimeout(function () {
                    i();
                    h.end = null
                }, c);
                h.timeout = c;
            })(window, document.documentElement, 'async-hide', 'dataLayer', 1900,
                {'GTM-N8HXDD2': true})
        }</script>
<script data-cfasync="false" async src="https://www.googleoptimize.com/optimize.js?id=GTM-N8HXDD2" onerror="dataLayer.hide.end && dataLayer.hide.end()"></script>

<script data-cfasync="false">(function (w, d, s, l, i) {
            w[l] = w[l] || [];
            w[l].push({
                'gtm.start':
                    new Date().getTime(), event: 'gtm.js'
            });
            var f = d.getElementsByTagName(s)[0],
                j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : '';
            j.async = true;
            j.src =
                'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
            f.parentNode.insertBefore(j, f);
        })(window, document, 'script', 'dataLayer', 'GTM-5V5LPNC');</script>

<script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" data-document-language="true" type="ba4048a8260e34503bf4f48b-text/javascript" charset="UTF-8" data-domain-script=bee15b7c-b632-450e-9003-9c8b60b3b978></script>
<script type="ba4048a8260e34503bf4f48b-text/javascript">
    function OptanonWrapper() { }
</script>
<meta charset="UTF-8">
<meta name="HandheldFriendly" content="True">
<meta name="MobileOptimized" content="320">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta http-equiv="cleartype" content="on">
<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

<title>Linux-Targeted Malware Increases by 35% in 2021 | CrowdStrike</title>
<meta name="description" content="CrowdStrike has observed that malware targeting Linux-based systems increased by 35% in 2021. XorDDoS, Mirai and Mozi were the most common malware families." />
<link rel="canonical" href="https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/" />
<meta property="og:locale" content="en_US" />
<meta property="og:type" content="article" />
<meta property="og:title" content="Linux-Targeted Malware Increases by 35% in 2021 | CrowdStrike" />
<meta property="og:description" content="CrowdStrike has observed that malware targeting Linux-based systems increased by 35% in 2021. XorDDoS, Mirai and Mozi were the most common malware families." />
<meta property="og:url" content="https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/" />
<meta property="og:site_name" content="crowdstrike.com" />
<meta property="article:publisher" content="https://www.facebook.com/CrowdStrike/" />
<meta property="article:published_time" content="2022-01-13T12:04:18+00:00" />
<meta property="article:modified_time" content="2022-01-13T18:17:34+00:00" />
<meta property="og:image" content="https://www.crowdstrike.com/wp-content/uploads/2022/01/Blog_1060x698-6.jpeg" />
<meta property="og:image:width" content="1060" />
<meta property="og:image:height" content="698" />
<meta property="og:image:type" content="image/jpeg" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:creator" content="@CrowdStrike" />
<meta name="twitter:site" content="@CrowdStrike" />
<meta name="twitter:label1" content="Written by" />
<meta name="twitter:data1" content="Mihai Maganu" />
<meta name="twitter:label2" content="Est. reading time" />
<meta name="twitter:data2" content="6 minutes" />
<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://www.crowdstrike.com/#website","url":"https://www.crowdstrike.com/","name":"crowdstrike.com","description":"Next-Generation Endpoint Protection","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.crowdstrike.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/#primaryimage","inLanguage":"en-US","url":"https://www.crowdstrike.com/wp-content/uploads/2022/01/Blog_1060x698-6.jpeg","contentUrl":"https://www.crowdstrike.com/wp-content/uploads/2022/01/Blog_1060x698-6.jpeg","width":1060,"height":698},{"@type":"WebPage","@id":"https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/#webpage","url":"https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/","name":"Linux-Targeted Malware Increases by 35% in 2021 | CrowdStrike","isPartOf":{"@id":"https://www.crowdstrike.com/#website"},"primaryImageOfPage":{"@id":"https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/#primaryimage"},"datePublished":"2022-01-13T12:04:18+00:00","dateModified":"2022-01-13T18:17:34+00:00","author":{"@id":"https://www.crowdstrike.com/#/schema/person/ff2849bd66a3e4098b594ba7d929c5e7"},"description":"CrowdStrike has observed that malware targeting Linux-based systems increased by 35% in 2021. XorDDoS, Mirai and Mozi were the most common malware families.","breadcrumb":{"@id":"https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/"]}]},{"@type":"BreadcrumbList","@id":"https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent"}]},{"@type":"Person","@id":"https://www.crowdstrike.com/#/schema/person/ff2849bd66a3e4098b594ba7d929c5e7","name":"Mihai Maganu","image":{"@type":"ImageObject","@id":"https://www.crowdstrike.com/#personlogo","inLanguage":"en-US","url":"http://1.gravatar.com/avatar/dab18ada535278018b2954a7aa294f3c?s=96&d=mm&r=g","contentUrl":"http://1.gravatar.com/avatar/dab18ada535278018b2954a7aa294f3c?s=96&d=mm&r=g","caption":"Mihai Maganu"},"url":"https://www.crowdstrike.com/blog/author/mihai-maganu/"}]}</script>

<link rel="preload" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/header/megamenu-content.json" as="json"><link rel="preload" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/header/top-nav.json" as="json"><link rel="preload" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/data/blog/blog-nav.json" as="json"><link rel='stylesheet' id='single-post.min.css-css' href='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/styles/pages/single-post.min.css?ver=1642025013' type='text/css' media='all' />
<link rel='stylesheet' id='theme-styles-css' href='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/styles/theme-styles.min.css?ver=1642025013' type='text/css' media='screen' />
<link rel='stylesheet' id='tablepress-default-css' href='https://www.crowdstrike.com/wp-content/tablepress-combined.min.css?ver=3' type='text/css' media='all' />
<script type="ba4048a8260e34503bf4f48b-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/fetch-inject.js?ver=1642025013' id='fetch-inject-js'></script>
<script type="ba4048a8260e34503bf4f48b-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-navigation.min.js?ver=1642025013' id='blog-navigation-js'></script>
<script type="ba4048a8260e34503bf4f48b-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-categories.min.js?ver=1642025013' id='blog-categories-js'></script>
<script type="ba4048a8260e34503bf4f48b-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-category-sidebar.min.js?ver=1642025013' id='blog-category-sidebar-js'></script>
<link rel='shortlink' href='https://www.crowdstrike.com/?p=53841' />
<link rel="icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" sizes="32x32" />
<link rel="icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" />
<meta name="msapplication-TileImage" content="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" />
</head>
<body class="post-template-default single single-post postid-53841 single-format-standard lang-en">

<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5V5LPNC&nojs=1"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

<script type="application/ld+json">
    {
        "@context": "http://schema.org",
        "@type": "Organization",
        "name": "CrowdStrike",
        "url": "http://www.crowdstrike.com",
        "logo": "http://www.crowdstrike.com/wp-content/img/cs_logo.png",
        "sameAs": [
            "http://www.facebook.com/CrowdStrike/",
            "http://www.twitter.com/CrowdStrike/",
            "https://plus.google.com/101967380457820256808/",
            "http://www.linkedin.com/company/crowdstrike",
            "http://www.youtube.com/user/CrowdStrike"
        ]
    }
</script>
<div data-id="wistia_player_embed"></div>
<div id="modal-mask" class="modal_insert_location">
<div class="container">
<div class="row">
<div class="col-lg-12">
<div id="modal-inner-mask" class="modal_mask">
<div class="close_button"><i id="modal-close" class="fa fa-close"></i></div>
<div id="modal-insert" class="modal_content"></div>
</div>
</div>
</div>
</div>
</div><div id="blogNavInsertLocation"></div>
<div class="cs_page_container ">
<div class="search_modal">
<div class="cs_header_container search_modal__section centered">

<input type="text" id="addsearchfield" class="addsearch" disabled="disabled" placeholder="Search" />
<script type="ba4048a8260e34503bf4f48b-text/javascript" async="async" src="https://addsearch.com/js/?key=7737a29b854de71521b1cd72c4118cfc"></script>
</div>
</div>
<header id="megaMenu" class="cs_main_menu 0">
<div id="headerPromobar"></div>
<nav class="header_top_menu">
<div class="cs_header_container centered">
<div id="megamenu_top_insert" class="menu_inner_section"></div>
</div>
</nav>
<nav class="header_bottom_menu">
<div class="mega_menu">
<div class="cs_header_container centered mega_menu__header">
<div class="header_logo">
<a href="/">
<svg width="173px" height="32px" viewBox="0 0 173 32" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="Homepage" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="Home" transform="translate(-72.000000, -7240.000000)" fill="#FEFEFE">
<g id="Group-24" transform="translate(72.000000, 7240.000000)">
<g id="Group-7" transform="translate(13.000000, 3.526700)">
<path d="M14.5154,12.2448 L14.5154,11.9378 L11.9154,9.6998 L11.6124,9.6998 C10.8974,10.4898 9.7934,11.0818 8.5584,11.0818 C6.6304,11.0818 5.1134,9.6118 5.1134,7.5938 C5.1134,5.5758 6.6304,4.1058 8.5584,4.1058 C9.7934,4.1058 10.8974,4.6978 11.6124,5.4878 L11.9154,5.4878 L14.5154,3.2498 L14.5154,2.9428 C13.1504,1.2758 11.0064,0.2008 8.5794,0.2008 C4.1174,0.2008 0.7384,3.3598 0.7384,7.5938 C0.7384,7.7578 0.7754,7.9088 0.7864,8.0698 C2.6124,9.3118 4.2244,10.3058 5.6124,11.2158 C7.6134,12.4818 9.2284,13.6468 10.5584,14.7298 C12.2164,14.3108 13.5604,13.4018 14.5154,12.2448 M2.3674,12.1658 C3.4094,13.4458 4.8804,14.3638 6.6154,14.7558 C5.4434,14.0968 4.3084,13.4498 3.2514,12.7338 C2.9414,12.5418 2.6654,12.3558 2.3674,12.1658" id="Fill-1"></path>
<path d="M29.571,14.0437 L28.921,11.2357 L28.683,11.0817 C28.553,11.1477 28.445,11.2357 28.12,11.2357 C27.621,11.2357 27.318,10.7087 27.058,10.2927 C26.625,9.6337 26.278,9.2827 25.975,9.1297 C27.556,8.4277 28.618,7.1117 28.618,5.2247 C28.618,2.3067 26.625,0.4637 22.921,0.4637 L16.465,0.4637 L16.465,14.7237 L20.754,14.7237 L20.754,9.7217 L21.144,9.7217 C22.097,9.7217 23.311,11.7837 23.874,12.7057 C25.044,14.5707 25.975,14.9867 27.643,14.9867 C28.423,14.9867 29.073,14.7017 29.463,14.3507 L29.571,14.0437 Z M24.242,5.4657 C24.242,6.4097 23.549,6.8697 22.747,6.8697 L20.754,6.8697 L20.754,3.9737 L22.747,3.9737 C23.549,3.9737 24.242,4.5007 24.242,5.4657 L24.242,5.4657 Z" id="Fill-3"></path>
<path d="M46.1426,7.5939 C46.1426,3.3599 42.7636,0.2009 38.2796,0.2009 C33.7946,0.2009 30.4156,3.3599 30.4156,7.5939 C30.4156,11.8279 33.7946,14.9869 38.2796,14.9869 C42.7636,14.9869 46.1426,11.8059 46.1426,7.5939 M41.7666,7.5939 C41.7666,9.6339 40.2066,11.0819 38.2796,11.0819 C36.3516,11.0819 34.7916,9.6339 34.7916,7.5939 C34.7916,5.5539 36.3516,4.1059 38.2796,4.1059 C40.2066,4.1059 41.7666,5.5539 41.7666,7.5939" id="Fill-5"></path>
</g>
<polygon id="Fill-8" points="80.6103 3.9906 76.5163 3.9906 73.9813 11.8886 71.2953 3.9906 68.6963 3.9906 66.0313 11.8446 63.4973 3.9906 59.4023 3.9906 59.2073 4.3196 64.4503 18.2506 67.0493 18.2506 69.9953 10.4846 72.9633 18.2506 75.5633 18.2506 80.8053 4.3196"></polygon>
<path d="M96.5105,11.0987 C96.5105,6.8427 93.6725,3.9907 89.0585,3.9907 L82.4945,3.9907 L82.4945,18.2507 L89.0585,18.2507 C93.6725,18.2507 96.5105,15.3987 96.5105,11.0987 M92.1345,11.1207 C92.1345,13.4457 90.7695,14.7407 88.8855,14.7407 L86.7835,14.7407 L86.7835,7.5007 L88.8855,7.5007 C90.7695,7.5007 92.1345,8.7957 92.1345,11.1207" id="Fill-9"></path>
<polygon id="Fill-11" points="119.2316 7.5008 123.5206 7.5008 123.5206 3.9908 110.6536 3.9908 110.6536 7.5008 114.9426 7.5008 114.9426 18.2508 119.2316 18.2508"></polygon>
<path d="M137.233,8.7513 C137.233,5.8333 135.24,3.9903 131.536,3.9903 L125.08,3.9903 L125.08,18.2503 L129.37,18.2503 L129.37,13.2483 L130.388,13.2483 L133.052,18.2503 L137.32,18.2503 L137.515,17.9213 L134.655,12.6343 C136.193,11.9103 137.233,10.6163 137.233,8.7513 M132.857,8.9923 C132.857,9.9363 132.164,10.3963 131.362,10.3963 L129.37,10.3963 L129.37,7.5003 L131.362,7.5003 C132.164,7.5003 132.857,8.0273 132.857,8.9923" id="Fill-12"></path>
<polygon id="Fill-14" points="139.832 18.2507 144.121 18.2507 144.121 3.9907 139.832 3.9907"></polygon>
<polygon id="Fill-15" points="154.9957 10.3747 159.8477 4.3197 159.6527 3.9907 155.0827 3.9907 151.1177 9.0587 151.1177 3.9907 146.8287 3.9907 146.8287 18.2507 151.1177 18.2507 151.1177 13.8627 151.8977 12.9417 155.5377 18.2507 160.0217 18.2507 160.2167 17.9217"></polygon>
<polygon id="Fill-16" points="161.3862 3.9903 161.3862 18.2513 172.1732 18.2513 172.1732 14.7413 165.6742 14.7413 165.6742 12.7663 170.5702 12.7663 170.5702 9.4753 165.6742 9.4753 165.6742 7.5013 172.1092 7.5013 172.1092 3.9903"></polygon>
<g id="Group-23" transform="translate(0.000000, 0.526700)">
<path d="M103.7658,17.8933 C106.9078,17.8933 109.6348,16.3583 109.6348,13.3983 C109.6348,10.1723 106.8858,9.3383 104.4598,8.6363 C103.5058,8.3513 102.5298,8.0213 102.5298,7.3193 C102.5298,6.8143 103.0718,6.5073 103.8958,6.5073 C105.3048,6.5073 106.4958,7.3853 107.1018,7.9563 L107.4048,7.9563 L109.4188,5.5433 L109.4188,5.2363 C108.3578,4.0303 106.1928,3.1093 103.8088,3.1093 C100.4728,3.1093 98.1568,4.9073 98.1568,7.5173 C98.1568,10.3263 100.7108,11.5553 102.8768,12.1693 C104.2858,12.5643 105.2408,12.6303 105.2408,13.3983 C105.2408,13.9473 104.5678,14.2763 103.5268,14.2763 C102.2048,14.2763 100.6028,13.4203 99.8238,12.6523 L99.5208,12.6523 L97.5288,15.1533 L97.5288,15.4603 C98.8058,16.8853 101.1008,17.8933 103.7658,17.8933" id="Fill-17"></path>
<path d="M29.8197,30.9998 C28.7807,28.6218 26.6937,25.5708 18.5177,21.2138 C14.7477,19.1178 8.3067,15.8908 2.5137,9.7578 C3.0387,11.9718 5.7287,16.8368 17.2987,22.9118 C20.5027,24.6648 25.9207,26.3088 29.8197,30.9998" id="Fill-19"></path>
<path d="M29.298,26.9271 C28.312,24.1171 26.532,20.5191 18.091,15.1751 C13.98,12.4811 7.945,9.0981 0,0.4731 C0.568,2.7981 3.078,8.8441 15.73,16.6931 C19.886,19.5091 25.25,21.2461 29.298,26.9271" id="Fill-21"></path>
</g>
</g>
</g>
</g>
</svg> </a>
</div>
<div id="megaSearch" data-id="search" class="search_btn fa-search"></div>
<div id="csMobileMenuBtn" class="mobile_menu_btn"><span></span></div>
<div class="mega_menu__content">
<ul id="megamenu_bottom_nav_insert" class="mega_menu__links"></ul>
<div id="megamenu_bottom_nav_content" class="mega_menu__body"></div>
</div>
</div>
</div>
</nav>
</header>
<div class="cs_page_content">
<div class="mobile_nav_section">
<div class="mobile_nav_content">
<div id="megamenu_mobile_main_nav" class="list_items_content"></div>
</div>
</div>
<div class="cs_main_section">
<main class="main">
<article>
<div class="container">
<div class="row">
<div class="col-12 col-lg-8">
<h1>Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent</h1>
<div class="publish_info">
<p>January 13, 2022</p> <a href="https://www.crowdstrike.com/blog/author/mihai-maganu/" title="Posts by Mihai Maganu" rel="author">Mihai Maganu</a> <ul class="post-categories">
<li><a href="https://www.crowdstrike.com/blog/category/endpoint-protection/" rel="category tag">Endpoint &amp; Cloud Security</a></li></ul> </div>
<div class="post_image"><img width="1060" height="698" src="https://www.crowdstrike.com/wp-content/uploads/2022/01/Blog_1060x698-6.jpeg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/01/Blog_1060x698-6.jpeg 1060w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Blog_1060x698-6-300x198.jpeg 300w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Blog_1060x698-6-1024x674.jpeg 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Blog_1060x698-6-768x506.jpeg 768w" sizes="(max-width: 1060px) 100vw, 1060px" /></div>
<div class="blog_content">
<ul>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Malware targeting Linux systems increased by 35% in 2021 compared to 2020</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Ten times more Mozi malware samples were observed in 2021 compared to 2020</span></li>
</ul>
<p><a href="https://www.crowdstrike.com/cybersecurity-101/malware/"><span style="font-weight: 400;">Malware</span></a><span style="font-weight: 400;"> targeting Linux-based operating systems, commonly deployed in Internet of Things (IoT) devices, have increased by 35% in 2021 compared to 2020, according to current CrowdStrike threat telemetry, with the top three malware families accounting for 22% of all Linux-based IoT malware in 2021. </span></p>
<p><span style="font-weight: 400;">XorDDoS, Mirai and Mozi are the most prevalent Linux-based malware families observed in 2021, with Mozi registering a significant tenfold increase in the number of in-the-wild samples in 2021 compared to 2020. The primary purpose of these malware families is to compromise vulnerable internet-connected devices, amass them into botnets, and use them to perform </span><a href="https://www.crowdstrike.com/cybersecurity-101/distributed-denial-of-service-ddos-attacks/"><span style="font-weight: 400;">distributed denial of service (DDoS) attacks</span></a><span style="font-weight: 400;">. </span></p>
<h2><span style="font-weight: 400;">Linux-based Malware and IoT</span></h2>
<p><span style="font-weight: 400;">Linux powers most of today’s cloud infrastructure and web servers, yet it also powers mobile and IoT devices. It’s popular because it offers scalability, security features and a wide range of distributions to support multiple hardware designs and great performance on any hardware requirements.</span></p>
<p><span style="font-weight: 400;">With various Linux builds and distributions at the heart of cloud infrastructures, mobile and IoT, it presents a massive opportunity for threat actors. For example, whether using hardcoded credentials, open ports or unpatched vulnerabilities, Linux-running IoT devices are a low-hanging fruit for threat actors — and their en masse compromise can threaten the integrity of critical internet services. </span><a href="https://www.statista.com/statistics/1101442/iot-number-of-connected-devices-worldwide/"><span style="font-weight: 400;">More than 30 billion IoT devices are projected to be connected to the internet by the end of 2025</span></a><span style="font-weight: 400;">, creating a potentially very large attack surface for threats and cybercriminals to create massive botnets.</span></p>
<p><span style="font-weight: 400;">A </span><a href="https://www.crowdstrike.com/cybersecurity-101/botnets/"><span style="font-weight: 400;">botnet</span></a><span style="font-weight: 400;"> is a network of compromised devices connected to a remote command-and-control (C2) center. It functions as a small cog in the larger network, and can infect other devices. Botnets are often used for DDoS attacks, spamming targets, gaining remote control and performing CPU-intensive activities like cryptomining. DDoS attacks use multiple internet-connected devices to access a specific service or gateway, preventing legitimate traffic from passing through by consuming the entire bandwidth, causing it to crash. </span></p>
<p><span style="font-weight: 400;">The 2016 Mirai botnet incident serves as a reminder that a large number of seemingly benign devices performing a DDoS attack can disrupt critical internet services, affecting both organizations and average users.</span><span style="font-weight: 400;">  </span></p>
<h2><span style="font-weight: 400;">Top Linux Threats in Today’s Landscape</span></h2>
<p><span style="font-weight: 400;">Analyzing the current Linux threat landscape, the XorDDoS, Mirai and Mozi malware families and variants have emerged as the most prolific in 2021, accounting for over 22% of all IoT Linux-targeting malware.</span></p>
<h3><span style="font-weight: 400;">XorDDoS: 123% Increase in Malware Samples</span></h3>
<p><span style="font-weight: 400;">XorDDoS is a Linux trojan compiled for multiple Linux architectures, ranging from ARM to x86 and x64. Its name is derived from using </span><a href="https://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html"><span style="font-weight: 400;">XOR encryption</span></a><span style="font-weight: 400;"> in malware and network communication to the C2 infrastructure. </span></p>
<p><span style="font-weight: 400;">When targeting IoT devices, the trojan is known to use SSH brute-forcing attacks to gain remote control on vulnerable devices.</span></p>
<div id="attachment_53848" style="width: 997px" class="wp-caption alignnone"><a href="/wp-content/uploads/2022/01/Fig1.png" target="_blank" rel="noopener noreferrer"><img aria-describedby="caption-attachment-53848" loading="lazy" class="wp-image-53848 size-full" src="https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig1.png" alt="" width="987" height="136" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig1.png 987w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig1-300x41.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig1-768x106.png 768w" sizes="(max-width: 987px) 100vw, 987px" /></a><p id="caption-attachment-53848" class="wp-caption-text">Fig. 1- Docker’s <a href="https://docs.docker.com/engine/reference/commandline/dockerd/">official documentation</a> (Click to enlarge)</p></div>
<p><span style="font-weight: 400;">On Linux machines, some variants of XorDDoS show that its operators scan and search for Docker servers with the 2375 port open. This port offers an </span><span style="font-weight: 400;">unencrypted Docker socket and remote root passwordless access to the host, which </span><a href="https://madhuakula.com/content/attacking-and-auditing-docker-containers-using-opensource/attacking-docker-containers/misconfiguration.html"><span style="font-weight: 400;">attackers can abuse</span></a><span style="font-weight: 400;"> to get root access to the machine.</span></p>
<p><span style="font-weight: 400;">CrowdStrike researchers have found that the number of XorDDoS malware samples throughout 2021 has increased by almost 123% compared to 2020.</span></p>
<div id="attachment_53849" style="width: 2009px" class="wp-caption alignnone"><a href="/wp-content/uploads/2022/01/Fig2.png" target="_blank" rel="noopener noreferrer"><img aria-describedby="caption-attachment-53849" loading="lazy" class="wp-image-53849 size-full" src="https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig2.png" alt="" width="1999" height="1298" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig2.png 1999w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig2-300x195.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig2-1024x665.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig2-768x499.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig2-1536x997.png 1536w" sizes="(max-width: 1999px) 100vw, 1999px" /></a><p id="caption-attachment-53849" class="wp-caption-text">Fig. 2 &#8211; Falcon detection for Linux XorDDoS malware sample (Click to enlarge)</p></div>
<h3><span style="font-weight: 400;">Mozi: 10 Times More Prevalent in 2021</span></h3>
<p><span style="font-weight: 400;">Mozi is a peer-to-peer (P2P) botnet network that utilizes the distributed hash table (DHT) system, implementing its own extended DHT. The distributed and decentralized lookup mechanism provided by DHT enables Mozi to hide C2 communication behind a large amount of legitimate DHT traffic.</span></p>
<div id="attachment_53850" style="width: 708px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-53850" loading="lazy" class="size-full wp-image-53850" src="https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig3.png" alt="" width="698" height="359" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig3.png 698w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig3-300x154.png 300w" sizes="(max-width: 698px) 100vw, 698px" /><p id="caption-attachment-53850" class="wp-caption-text">Fig. 3 &#8211; Credits: <a href="https://kn0wledge.fr/projects/mozitools/">Kn0wledge</a></p></div>
<p><span style="font-weight: 400;">The use of DHT is interesting because it allows Mozi to quickly grow a P2P network. And, because it uses an extension over DHT, it’s not correlated with normal traffic, so detecting the C2 communication becomes difficult.</span></p>
<p><span style="font-weight: 400;">Mozi infects systems by brute-forcing SSH and Telnet ports. It then blocks those ports so that it is not overwritten by other malicious actors or malware.</span></p>
<div id="attachment_53851" style="width: 2009px" class="wp-caption alignnone"><a href="/wp-content/uploads/2022/01/Fig4.png" target="_blank" rel="noopener noreferrer"><img aria-describedby="caption-attachment-53851" loading="lazy" class="size-full wp-image-53851" src="https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig4.png" alt="" width="1999" height="1169" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig4.png 1999w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig4-300x175.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig4-1024x599.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig4-768x449.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig4-1536x898.png 1536w" sizes="(max-width: 1999px) 100vw, 1999px" /></a><p id="caption-attachment-53851" class="wp-caption-text">Fig. 4 &#8211; Falcon detection for Linux Mozi malware sample (Click to enlarge)</p></div>
<h3><span style="font-weight: 400;">Mirai: The Common Ancestor</span></h3>
<p><span style="font-weight: 400;">Mirai malware has made a name for itself in the last few years, especially after its developer published Mirai’s </span><a href="https://github.com/jgamblin/Mirai-Source-Code/blob/master/ForumPost.txt"><span style="font-weight: 400;">source code</span></a><span style="font-weight: 400;">. Similar to Mozi, Mirai abuses weak protocols and weak passwords, such as Telnet, to compromise devices using brute-forcing attacks.</span></p>
<p><span style="font-weight: 400;">With multiple Mirai variants emerging since its source code became public, the Linux trojan can be considered the common ancestor to many of today’s Linux DDoS malware. While most variants add onto existing Mirai features or implement different communication protocols, at their core they share the same Mirai DNA.</span></p>
<p><span style="font-weight: 400;">Some of the most prevalent variants tracked by CrowdStrike researchers involve Sora, IZIH9  and Rekai. Compared to 2020, the numbers of identified samples for all three variants have increased by 33%, 39% and  83% respectively in 2021.</span></p>
<div id="attachment_53852" style="width: 2009px" class="wp-caption alignnone"><a href="/wp-content/uploads/2022/01/Fig5.png" target="_blank" rel="noopener noreferrer"><img aria-describedby="caption-attachment-53852" loading="lazy" class="size-full wp-image-53852" src="https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig5.png" alt="" width="1999" height="1203" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig5.png 1999w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig5-300x181.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig5-1024x616.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig5-768x462.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/01/Fig5-1536x924.png 1536w" sizes="(max-width: 1999px) 100vw, 1999px" /></a><p id="caption-attachment-53852" class="wp-caption-text">Fig. 5 &#8211; Falcon detection for Linux Mirai malware sample (Click to enlarge)</p></div>
<h3><span style="font-weight: 400;">CrowdStrike Protection for Linux</span></h3>
<p><span style="font-weight: 400;">Linux is one of the primary operating systems for many business-critical applications. As Linux servers can be found on premises and in private and public clouds, protecting them requires a solution that provides runtime protection and visibility for all Linux hosts, regardless of location.</span></p>
<p><span style="font-weight: 400;">The CrowdStrike Falcon® platform protects Linux workloads, including containers, running in all environments, from public and private clouds to on-premises and hybrid data centers. Using machine learning, artificial intelligence, behavior-based </span><a href="https://www.crowdstrike.com/cybersecurity-101/indicators-of-compromise/ioa-vs-ioc/"><span style="font-weight: 400;">indicators of attack (IOAs)</span></a><span style="font-weight: 400;"> and custom hash blocking to defend Linux workloads against malware and sophisticated threats, the Falcon platform delivers complete visibility and context into any attack on Linux workloads.</span></p>
<h2><span style="font-weight: 400;">Indicators of Compromise (IOCs)</span></h2>
<table class="orange">
<tbody>
<tr class="top-row bg-orange">
<td><strong>File</strong></td>
<td><strong>SHA256</strong></td>
</tr>
<tr>
<td><code>Mozi</code></td>
<td><a href="https://www.hybrid-analysis.com/sample/4790754ccd895626c67f0d63736577d363de7e7684b624d584615d83532d1414"><code><span style="text-decoration: underline;">4790754ccd895626c67f0d63736577d363de7e7684b624d584615d83532d1414</span></code></a></td>
</tr>
<tr>
<td><code>XorDDoS</code></td>
<td><a href="https://hybrid-analysis.com/sample/f85f13bf67bba755ec5f4c46d760f460a2dc137494d7edf64aeb22ddc2f30760/5f365532439f551c2b28e199"><code><span style="text-decoration: underline;">f85f13bf67bba755ec5f4c46d760f460a2dc137494d7edf64aeb22ddc2f30760</span></code></a></td>
</tr>
<tr>
<td><code>Mirai</code></td>
<td><a href="https://www.hybrid-analysis.com/sample/4f2f4d758d13a9cb2fd4c71e8015ba622b2b4c1c26ceb1114b258d6e3c174010"><code><span style="text-decoration: underline;">4f2f4d758d13a9cb2fd4c71e8015ba622b2b4c1c26ceb1114b258d6e3c174010</span></code></a></td>
</tr>
</tbody>
</table>
<h4><span style="font-weight: 400;">Additional Resources</span></h4>
<ul>
<li><em><span style="font-weight: 400;">Learn more about how the Falcon platform protects Linux systems in </span><a href="https://www.crowdstrike.com/resources/data-sheets/linux-solution-brief/"><span style="font-weight: 400;">this solution brief</span></a><span style="font-weight: 400;">.</span></em></li>
<li><em><span style="font-weight: 400;">Read </span><a href="https://www.crowdstrike.com/press-releases/crowdstrike-falcon-expands-linux-protection-with-enhanced-prevention-capabilities/"><span style="font-weight: 400;">this press release</span></a><span style="font-weight: 400;"> about CrowdStrike Falcon’s enhanced Linux protection.</span></em></li>
<li><em><span style="font-weight: 400;">Find out how the powerful </span><a href="https://www.crowdstrike.com/endpoint-security-products/falcon-platform/"><span style="font-weight: 400;">CrowdStrike Falcon platform</span></a><span style="font-weight: 400;"> provides comprehensive protection across your organization, workers, data and identities.</span></em></li>
<li><em><a href="https://www.crowdstrike.com/resources/free-trials/try-falcon-prevent/"><span style="font-weight: 400;">Get a full-featured free trial of CrowdStrike Falcon Prevent&#x2122;</span></a><span style="font-weight: 400;"> and learn how true next-gen AV performs against today’s most sophisticated threats.</span></em></li>
</ul>
</div>
<style>
    .list-share-buttons{
        margin-bottom: 40px;
        margin-left: auto;
    }

    .share-button {
        float: left;
        color: #999;
        border: 1px solid #e4e4e4;
        text-align: center;
        transition: all 0.15s ease;
        margin-right: 5px;
        margin-bottom: 40px;
        margin-left: auto;
        font-size: 13px;
        padding: 0.5em 0.9em;
    }

    .tweet-btn{
        color: #999999;
    }
    .li-btn{
        color: #999999;
    }
    .tweet-btn:hover{
        color: #1DA1F2;
    }

    .li-btn:hover{
        color: #2867B2;
    }

    .fa{
        margin-right:5px;
    }

</style>
<div>
<ul class="list-share-buttons">

<li class="share-button">
<a class="tweet-btn " target="_blank" rel="noopener noreferrer" href="https://twitter.com/share?text=Linux-Targeted+Malware+Increases+by+35%25+in+2021%3A+XorDDoS%2C+Mirai+and+Mozi+Most+Prevalent&amp;url=https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/" onclick="if (!window.__cfRLUnblockHandlers) return false; window.open(this.href, '_blank', 'menubar=no,toolbar=no,resizable=yes,scrollbars=yes,height=600,width=600');" data-cf-modified-ba4048a8260e34503bf4f48b-="">
<span class="fa fa-twitter"></span>
<span>Tweet</span>
</a>
</li>

<li class="share-button">
<a class="li-btn" target="_blank" rel="noopener noreferrer" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/&amp;title=Linux-Targeted+Malware+Increases+by+35%25+in+2021%3A+XorDDoS%2C+Mirai+and+Mozi+Most+Prevalent" onclick="if (!window.__cfRLUnblockHandlers) return false; window.open(this.href, '_blank', 'menubar=no,toolbar=no,resizable=yes,scrollbars=yes,height=600,width=600');" data-cf-modified-ba4048a8260e34503bf4f48b-="">
<span class="fa fa-linkedin"></span>
<span>Share</span>
</a>
</li>
</ul>
</div>
<a href="https://go.crowdstrike.com/try-falcon-prevent.html">
<img class="post_cta" src="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/images/blog/breaches-stop-here-post-cta.jpeg">
</a>
<h5>Related Content</h5>
<div class="row recent_articles">
<a class="col-12 col-md-4 recent_articles_item" href="/blog/crowdstrike-adds-zero-trust-partner-integrations/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2022/01/Blog_1060x698-5.jpeg" alt="">
</div>
<div class="post_info">
<h6>Zero Trust Integrations Are Expanding in the CrowdStrike Partner Ecosystem</h6>
<div class="excerpt">Organizations need to stay ahead of the ever-evolving security landscape. It’s no secret that Zero Trust security is crucial for successful endpoint protection. Due to the rapid transition to a remote workforce and shift from the traditional data center into dynamic cloud infrastructure we’ve witnessed in the last year, more and more companies are finding [&hellip;]</div>
</div>
</a>
<a class="col-12 col-md-4 recent_articles_item" href="/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2022/01/Blog_1060x698-4.jpeg" alt="">
</div>
<div class="post_info">
<h6>TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang</h6>
<div class="excerpt">TellYouThePass ransomware, discovered in 2019, recently re-emerged compiled using Golang  Golang’s popularity among malware developers makes cross-platform development more accessible TellYouThePass ransomware was recently associated with Log4Shell post-exploitation, targeting Windows and Linux The CrowdStrike Falcon® platform protects customers from Golang-written TellYouThePass ransomware using the power of machine learning and behavior-based detection The TellYouThePass ransomware family [&hellip;]</div>
</div>
</a>
<a class="col-12 col-md-4 recent_articles_item" href="/blog/why-you-need-an-adversary-focused-approach-to-stop-cloud-breaches/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2022/01/Blog_1060x698.jpeg" alt="">
</div>
<div class="post_info">
<h6>Why You Need an Adversary-focused Approach to Stop Cloud Breaches</h6>
<div class="excerpt">It should come as little surprise that when enterprise and IT leaders turned their attention to the cloud, so did attackers. Unfortunately, the security capabilities of enterprises have not always kept up with the threat landscape. Poor visibility, management challenges and misconfigurations combine with other security and compliance issues to make protecting cloud environments a [&hellip;]</div>
</div>
</a>
</div>
</div>
<div class="col-12 col-lg-4 sidebar">
<div class="blog_subsection">
<div class="blog_section_subtitle">
<div class="title">Categories</div>
</div>
</div>
<div class="blog_featured_category_list" id="blog_category_sidebar_item"></div>
<div class="social">
<h6>Connect with Us</h6>
<div class="social_icons">
<a href="https://www.twitter.com/CrowdStrike"><span class="fa fa-twitter"></span></a>
<a href="https://www.facebook.com/CrowdStrike"><span class="fa fa-facebook"></span></a>
<a href="https://www.linkedin.com/company/crowdstrike"><span class="fa fa-linkedin"></span></a>
<a href="https://www.youtube.com/user/CrowdStrike"><span class="fa fa-youtube-play"></span></a>
<a href="https://www.crowdstrike.com/blog/feed"><span class="fa fa-rss"></span></a>
</div>
</div>
<a class="free_trial_sidebar" href="https://go.crowdstrike.com/try-falcon-prevent.html">
<img src="https://www.crowdstrike.com/wp-content/uploads/2021/07/breaches-stop-here.jpeg">
</a>
<div id="sideBarFeaturedArticles"></div>
<div class="subscribe_cta">
<h6>SUBSCRIBE</h6>
<p>Sign up now to receive the latest notifications and updates from CrowdStrike.</p>
<a class="button white-text white-outline white-text-hover dark-red-background-hover dark-red-outline-hover" data-behavior="modal" data-template-id="modal-42284" href="#">Sign Up</a>
</div>
<div class="demo_cta">
<img src="https://www.crowdstrike.com/wp-content/uploads/2021/07/red-falcon.svg">
<h6>See CrowdStrike Falcon in Action</h6>
<p>Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection.</p>
<a class="button white-text red-background red-outline white-text-hover dark-red-background-hover dark-red-outline-hover" href="https://www.crowdstrike.com/see-demo/">See Demo</a>
</div>
</div>
</div>
<div class="post_nav row">
<div class="col-12">
<div class="links"><span class="fa fa-angle-double-left"></span> <a href="https://www.crowdstrike.com/blog/crowdstrike-adds-zero-trust-partner-integrations/" rel="prev">Zero Trust Integrations Are Expanding in the CrowdStrike Partner Ecosystem</a></div>
<div class="links"></div>
</div>
</div>
</div>
</article>
<section id="freeTrialCta" class="blog-free-trial-cta">
<div class="container">
<div class="row">
<div class="col-12">
<div class="content">
<h1 class="free-trial-header">TRY CROWDSTRIKE FREE FOR 15 DAYS</h1>
<a class="button white-text red-background red-outline white-text-hover dark-red-background-hover dark-red-outline-hover" id="freeTrialOpenTrigger" href="#">GET STARTED WITH A FREE TRIAL</a>
</div>
</div>
</div>
</div>
<div id="freeTrialContent" class="free-trial-content-wrapper unstuck" style="display: none;">
<div class="container">
<p class="free-trial-close textright white"><a class="free-trial-close-trigger red" id="freeTrialCloseTrigger">X</a></p>
</div>
<div class="container free-trial-iframe-wrapper">
<iframe id="footer-form-frame" height="490" width="800" src="https://go.crowdstrike.com/WF-Trial-to-Pay_LP-Registration-Footer.html" class=""></iframe>
</div>
</div>
</section>
<script type="ba4048a8260e34503bf4f48b-text/javascript">
    fetchInject([
        'https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/pages/blog.min.js?ts=1642098240000',
    ])
</script> </main>
<footer class="simple">
<div class="container">
<div class="row">
<div class="col-md-12 top">
<span class="footer-logo"><a class="red" href="https://www.crowdstrike.com"><i class="cs-icon-cs-logo"> </i></a></span>
<ul class="row social-links">
<li class="circle-icon-outline">
<a href="https://twitter.com/CrowdStrike" target="_blank"><i class="fa fa-twitter"></i></a></li>
<li class="circle-icon-outline">
<a href="https://www.facebook.com/CrowdStrike/" target="_blank"><i class="fa fa-facebook"></i></a>
</li>
<li class="circle-icon-outline">
<a href="https://www.linkedin.com/company/crowdstrike" target="_blank"><i class="fa fa-linkedin"></i></a>
</li>
<li class="circle-icon-outline">
<a href="http://www.youtube.com/user/CrowdStrike" target="_blank"><i class="fa fa-youtube-play"></i></a>
</li>
</ul>
</div>
<div class="col-md-12 bottom">
<ul class="row footer-lower-links">
<li class="footer-copyright">Copyright © 2022 CrowdStrike</li>
<li><a href="https://www.crowdstrike.com/privacy-notice/">Privacy</a></li>
<li><a href="https://www.crowdstrike.com/request-information/">Request Info</a></li>
<li><a href="https://www.crowdstrike.com/blog">Blog</a></li>
<li><a href="https://www.crowdstrike.com/contact-us/">Contact Us</a></li>
<li>1.888.512.8906</li>
</ul>
</div>
</div>
</div>
</footer>
</div>
</div>
</div>
<script type="ba4048a8260e34503bf4f48b-text/javascript" async="async" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/theme-scripts.min.js?ver=1642025013' id='theme-scripts-js'></script>
<script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="ba4048a8260e34503bf4f48b-|49" defer=""></script></body>
</html>